Escolar Documentos
Profissional Documentos
Cultura Documentos
&
Business Continuity
Template
ISO 27000, Sarbanes-Oxley, HIPAA, PCI DSS, COBIT,
and ITIL Compliant
Prepared by
Janco
Thisisasampl eofthefinalproduct
thesepagesareforyourr eview only
and areprot
ected byJanco’scopyright
PAGES HAVEBEEN EXCLUDED
Associates, Inc.
Park City, UT 84060
www.
e-j
anco.
com
email - support@e-janco.com
Web sites – http://www.e-janco.com - http://www.it-toolkits.com -- http://www.itproductivity.org
Version 5.6
© 2010 Copyright Janco Associates, Inc. ALL RIGHTS RESERVED
Enterprise logo here Disaster Recovery Business Continuity
Table of Contents 1
1.0 Plan Introduction .............................................................................................................. 12
1.1 Mission and Objectives .......................................................................................... 13
Compliance ............................................................................................................. 13
Implication of Legislated and Industry Standards Requirements ................................. 13
Sarbanes-Oxley ....................................................................................................... 14
COSO...................................................................................................................... 16
PCI DSS .................................................................................................................. 17
COBIT..................................................................................................................... 17
ISO 27000 Compliance Process .............................................................................. 18
Define the Control Environment ................................................................................ 18
Control the Environment by Implementation and Management ................................... 18
Audit and Examine the Control Processes .................................................................. 19
1.2 Disaster Recovery / Business Continuity Scope ..................................................... 20
1.3 Authorization ......................................................................................................... 20
1.4 Responsibility ......................................................................................................... 20
1.5 Key Plan Assumptions ............................................................................................ 21
1.6 Disaster Definition .................................................................................................. 22
1.7 Metrics ................................................................................................................... 22
1.8 Disaster Recovery / Business Continuity and Security Basics ..................................... 24
Servers .................................................................................................................... 24
Network.................................................................................................................. 25
Clients ..................................................................................................................... 26
Recovery Procedures.............................................................................................. 26
Communication ...................................................................................................... 26
Designated operators ............................................................................................. 26
Designated manager .............................................................................................. 27
External resources .................................................................................................. 27
Insurance ................................................................................................................ 27
NOTE – Due to incompatibilities between WORD 2003 and WORD 2007 you may need to regenerate the Table of Contents. The
Table of Contents was generated using WORD 2007 and if you use this document in any version other than WORD 2007 you will
have to update the Table of Contents and all update fields which link to unique pages in this template.
6.9 Operations............................................................................................................100
7.0 Plan Administration ........................................................................................................101
7.1 Disaster Recovery Manager .................................................................................101
7.2 Distribution of the Disaster Recovery Plan ..........................................................102
7.3 Maintenance of the Business Impact Analysis .....................................................103
7.4 Training of the Disaster Recovery Team ..............................................................103
7.5 Testing of the Disaster Recovery Plan ..................................................................104
7.6 Evaluation of the Disaster Recovery Plan Tests ...................................................106
7.7 Maintenance of the Disaster Recovery Plan ........................................................107
8.0 Appendix .........................................................................................................................109
8.01 Plan Distribution...................................................................................................110
8.02 ENTERPRISE Sales Offices .....................................................................................111
8.03 Disaster Recovery Team Call List ..........................................................................112
8.04 Vendor Phone/Address List ..................................................................................114
8.05 Off-Site Inventory .................................................................................................118
8.06 Personnel Location Form ........................................................................................119
8.07 Hardware/Software Inventory .............................................................................120
8.08 People Interviewed ..............................................................................................121
8.09 Preventative Measures ........................................................................................122
8.10 Sample Application Systems Impact Statement ..................................................123
8.11 JOB Descriptions...................................................................................................124
Disaster Recovery Manager .................................................................................124
Position Purpose .................................................................................................... 124
Problems and Challenges ....................................................................................... 124
Essential Position Functions .................................................................................... 124
Principal Accountabilities ...................................................................................... 124
Authority................................................................................................................ 125
Contacts ................................................................................................................. 125
Position Requirements .......................................................................................... 125
Manager Disaster Recovery and Business Continuity ..........................................126
Position Purpose .................................................................................................... 126
Problems and Challenges ....................................................................................... 126
Essential Position Functions .................................................................................... 126
Principal Accountabilities ...................................................................................... 126
Authority................................................................................................................ 127
Contacts ................................................................................................................. 127
Position Requirements .......................................................................................... 127
Pandemic Coordinator .........................................................................................128
Position Purpose .................................................................................................... 128
Problems and Challenges ....................................................................................... 128
Essential Position Functions .................................................................................... 128
Principal Accountabilities ...................................................................................... 128
Authority................................................................................................................ 129
Contacts ............................................................................................................... 129
Position Requirements ........................................................................................... 129
Career Ladder ....................................................................................................... 130
8.12 Application Inventory and Business Impact Analysis Questionnaire ...................131
The intent of a Disaster Recovery Plan is to provide a written and tested plan directing the
computer system recovery process in the event of an interruption in continuous service resulting
from an unplanned and unexpected disaster.
The Disaster Recovery Plan preparation process includes several major steps as follows:
These steps were conducted and this document represents the completed effort in the
preparation of the ENTERPRISE Disaster Recovery Plan.
Compliance
Various compliance frameworks can be used to assess BCP measures—ISO, COBIT,
COSO, etc.—but key aspects are similar:
2
Critical time frames include both the point in time that the recovery will be set to and the point in time that the recovery will be
completed and the enterprise can be back in operation.
3
This section is for informational purposes and can be excluded from the plan.
Mobile Data Center / Office 24 to 48 Pre-configured mobile resources for data center or client workspace
Space hours recovery. This approach avoids employee travel issues but has limitations on
equipment availability and outbound bandwidth if very small aperture
satellite terminal (VSAT) links must be used for communications. Businesses
also typically assume that they can be placed in the parking lot of the
affected site, so if the disaster profile includes events such as hurricanes,
floods or toxic spills, these solutions may not be appropriate.
Cold Site 72 plus "Environmentally appropriate" space can be either provisioned internally or
hours contracted from a commercial facilities service provider. Cold-site strategies
are usually based on "quick-ship" delivery agreements to allow server,
storage, and communications hardware and network service providers to
quickly build out the data center and/or client workspace infrastructure.
In the case of an extensive disaster such as a hurricane or earthquake this
option is less favorable
Reciprocal Site 12 to 48 This is typically a formal agreement between two trusted, non-competing
hours partners in different industries in which each provides secure sites for the
other. This option is the least favorable and has the greatest risk associated
with it.
Backup Strategy
Backups can be accomplished locally, centrally or both. There are
advantages and disadvantages to each. The table below lists some of the
advantages and disadvantages of each.
Policy
The purpose of this policy is to define the need for performing periodic computer system
backups to ensure that mission critical administrative applications, data and archives and
applications, users' data and archives are adequately preserved and protected against data loss
and destruction. Each ENTERPRISE unit responsible for providing and operating a mission critical
application must document and perform System Specific Data Backup or at least Minimal Data
Backup on a periodic basis.
Computer systems that create or update mission critical ENTERPRISE data on a daily basis need
to be backed up on a daily basis to minimize the exposure to loss of mission critical data. The unit
responsible for providing and operating such systems must conduct a systematic and detailed
investigation of all the influencing factors leading to the compilation of a comprehensive System
Specific Data Backup Policy. System specific backup policies policy must at least fulfill the
requirements of the Minimal Data Backup Policy.
Applicability
This policy applies to all units operating of ENTERPRISE. This backup policy is defined to protect
against the following situations:
Thi
sisasampl
eoft
hef
inalpr
oduct
Destruction of data media by force majeure, e.g. fire or water
t hesepagesar ef oryourr evi ew onl y
Deliberate and/or accidental deletion of files with computer-viruses etc
a n d a r e p ro te ct e d b y J a n
Inadvertent deletion or overwriting of files
c o’ s co p yrig ht
Technical P AGE
failure ofS HAV
storage EBE
device ENcrash)
(head EXCLUDED
Faulty data media
Demagnetization ofwww.
magnetice - j
dataamedia
nco. coto
due mageing or unsuitable
environmental conditions (temperature, air moisture)
Interference of magnetic data media by extraneous magnetic fields
Uncontrolled changes in stored data (loss of integrity)
A recovery from a disaster is best conducted by teams of personnel that are formed to perform
specific functions (e.g., hardware acquisition, hardware installation, operations). The number
and types of teams are dictated by the size and type of computer processing capabilities and
facility the plan is being developed to recover.
The organization of the staff to recover the system is designed for the worst case situation. The
worst case, requiring a move to the alternative site, must be executed by a coordinated team to
minimize the operational impacts to end-users, senior management and ENTERPRISE as a whole.
Senior Recovery
Manager
Recovery
Manager
The purpose of this questionnaire is to determine the criticality of the applications used at ENTERPRISE. The information
provided will be used to develop a Application Inventory that can be used in the Disaster Recovery Plan that minimizes
the impact of the loss of this application in the event of a disaster. (PLEASE USE ADDITIONAL BLANK PAPER OR
ATTACHMENTS WHEREVER NECESSARY)
Facility / Business Function / Application
Name: _____________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
Thi
sisasampl
eoft
hef
inalpr
oduct
Was this developed in-house or purchased from a vendor? If purchased from a vendor, do you hold the plans,
t
hesepagesar ef oryourr evi ew onl
source code etc: _____________________________________________________________________________ y
and ar
epr
otect
ed byJanco’
scopyr
ight
PAGES HAVEBEEN EXCLUDED
__________________________________________________________________________________________
If the application is a purchased package, are there extensive modifications to this application (briefly describe
www. e- janco. com
modifications): ______________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
Who is the owner of this application (i.e. Joe Smith of Accounting)? ____________________________________
__________________________________________________________________________________________
Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 133
Enterprise logo here
Provide the following information for each application and file server:
• Host name
• IP address and mask for the server
• Administrative contact for the server and security contact (i.e. primary user or department head name and phone number)
• User Types
• Operating system including version number
• Application Software including version number
• Review status (Yes/No, Date. Reviewer)
• Connectivity (Internet, Intranet, modem In, modem out, other
• Physical location (Address / phone number for contact
IP Address Range Operating System OS Version / Reviewed Application App Version / Reviewed
to
Unix Ver: Thi si
____________sa samp
Yes No l
eo_________________
ft hef inalpr odu
Ver: ct
_________ Yes No
Lynx. Ver: ____________ Yes No _________________ Ver: _________ Yes No
Other Ver: thesep
____________ aYes
ges a r
No efo ryourr evi ewVer:
_________________ o_________
nl y Yes No
___.___.___.___ _______________ and ar epr ot ect edb yJanco’ scop
_________________ yr
Ver: ight
_________ Yes No
____________________________________________________________________________________________________
____________________________________________________________________________________________________
____________________________________________________________________________________________________
____________________________________________________________________________________________________
____________________________________________________________________________________________________
____________________________________________________________________________________________________
____________________________________________________________________________________________________
Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 143
Enterprise logo here
ENTERPRISE
Vendor Disaster Recovery Planning Questionnaire
3 What duration of time is assumed for each ___________________________(please specify # and hours, days,
type of failure scenario or outage you plan weeks, months, etc. for each type)
for?
Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 168
Enterprise logo here
Version History
Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 213
Enterprise logo here
Version History
Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 214
Enterprise logo here
Version History
Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 215